New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login redirect & token refresh #19
Comments
Related issue: now that the auth operations have been switched from REST calls to GraphQL, errors are no longer being reported correctly. This seems to be due to the switch from |
Video guide on implementing a refresh token flow for JWT / express: https://www.youtube.com/watch?v=UA0AIkjI85c Plus the front-end code used to set and update tokens: https://github.com/benawad/gello-world/blob/7_advanced_jwt_auth/src/index.js |
Why use refresh tokens?While researching this I had the question of "what is the point of refresh tokens?" From what I read, the auth token should have a short life (say, 5 - 15 mins) whereas the refresh token has a longer life (say, 1 - 2 weeks). User logs in, then the auth token expires after 5 mins and so the refresh token is checked, validated, and a new auth token is issued. The refresh token is presumably stored in the same fashion as the auth token (localStorage, for example). If an attacker can get the auth token, they can also get the refresh token. So where is the additional security? Answer from https://security.stackexchange.com/a/119392:
From reading that whole thread, it seems that the clear purpose of a refresh token is to:
|
Where to store tokens? localStorage vs sessionStorage vs cookieshttps://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
From https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Local_Storage
From: https://www.whitehatsec.com/blog/web-storage-security/
ThoughtsCookies seem to be the better option but the main issue is CSRF attacks. Angular's HttpClient has built-in CSRF mitigations, see https://angular.io/guide/security#xsrf, so this could be the best way to go. It may also simplify the token transfer/refresh process. Todo: watch this https://www.youtube.com/watch?v=sHKyMwIK9F0 |
The JWT generated on login is time-limited. Once it expires, the session is no longer valid and the user must login newly.
For a long, continuous user session, this is undesirable. The token should be refreshed during use. Needs research on how this is best achieved.
Secondly, if user is inactive for an expended period (e.g. puts laptop to sleep, opens next day and admin ui is still open in browser), then the next API call will fail with a 403 error. In this case, the app should automatically re-route to the login page, and upon successful login, redirect the user back to the route they were last requesting before the error.
The text was updated successfully, but these errors were encountered: